[c-nsp] Pix FOS

Joseph Jackson JJackson at aninetworks.com
Tue Jan 2 17:22:39 EST 2007


That bug you've listed was resolved in 7.0(5)

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Afsheen Bigdeli
Sent: Tuesday, January 02, 2007 2:16 PM
To: Voll, Scott
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Pix FOS

I've successfully upgraded from 6.3 to 7.2, for three different sets of 
firewalls, over the past 6 months. Yes, you can upgrade straight to 7.2.

Firstly, you'll want this link handy:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note
09186a00804708d8.shtml

Secondly, as is mentioned in that document, the jump to 7.x from 6.x is 
a big one. Your config will look _very_ different. Be aware specifically

of the changes to how interfaces (both physical and logical) are 
represented, the implication of changes to the fixup command (i.e. where

did fixup go, and what does inspect mean, and what traffic should you be

inspecting?), and what commands have been deprecated by the 7.x train.

As for recommendations, overall, yes, I'd recommend it. Admittedly, 
there are one or two interesting bugs - inspect http, for example, will 
take out even the PIX 535's with memory utilization problems if you're 
pushing more than a modest amount of http traffic through the firewall. 
(This is covered in CSCsd72617, I believe.) There are also plenty of 
things that make more sense aesthetically - at least to me - if you're 
already used to IOS syntax. That, combined with one or two necessary 7.x

only commands (e.g. same-security-traffic permit intra-interface) made 
the jump well worth it.

--afsheenb


Voll, Scott wrote:
> I'm currently running Pix FOS 6.3 but need to upgrade to at least 7.1.
> I also see that 7.2 is out.  
> 
>  
> 
> Two Questions:
> 
>  
> 
> I know I need to upgrade from 6.3 to 7.0 in order to upgrade to
7.1.....
> What do I need to do to upgrade to 7.2?  Can I skip 7.1?
> 
>  
> 
> Is anyone using 7.2?  if so, would you recommend it?
> 
>  
> 
> Thanks
> 
>  
> 
> Scott
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list